The recent RSA Security conference might have seemed like an odd venue to announce a book called Exploiting Software: How to Break Code, but the intention isn't what it seems. The authors hope that showing why software is vulnerable and how people try to take advantage of it will result in more secure systems.

The recent RSA Security conference might have seemed like an odd venue to announce a book called Exploiting Software: How to Break Code, but the intention isn't what it seems. The authors hope that showing why software is vulnerable and how people try to take advantage of it will result in more secure systems.

The author of the foreword, Aviel Rubin, technical director of the Information Security Institute at Johns Hopkins University, puts it this way: The authors "have done a marvelous job of explaining why software is exploitable, of demonstrating how exploits work and of educating the reader on how to avoid writing exploitable code."

For co-author Gary McGraw, this is the latest in a string of books about information security: Earlier works include Securing Java and Building Secure Software. In fact, McGraw sees Exploiting Software as a natural complement to Building Secure Software, which he wrote in 2001.

"Building Secure Software got the ball rolling on software security," McGraw says. "The problem is, on the application side there are a lot of vendors concentrating on the right problem - they understand software is a security problem - but they are taking an outside-in approach, saying if we just do some black-box testing or protect this broken software with an application firewall we'll be OK. That doesn't take into account the true nature of the software exploit, so that's why Greg Hoglund and I decided to write Exploiting Software, to make the discourse about the real problem clearer."

In the book McGraw says "software defects are the single most critical weakness in computer systems" and "bad software is ubiquitous."

Asked if network defenses, then, are merely chewing gum stuck in the cracks of a sinking ship, McGraw says: "The fact is, network security mechanisms are necessary but not sufficient. We keep trying to protect our broken stuff from exploit by building a perimeter defense around it. The notion of defending the edges is not bad, it just doesn't work all the time. Especially when it comes to complex software that is Internet-based, highly distributed and designed to be extensible. As software gets more important and more complicated, the chances of us solving our problem with edge-level network mechanisms is zero. We have to make software more secure from the get-go." (Click here for a full interview with McGraw.)